What should the server return in an OPTIONS request?

Asked

Viewed 261 times

12

Before sending any request to the server, browsers automatically send a request of the type OPTIONS to know some server information

What information does the server need to send? Only CORS headers?

Should this information be sent only in these requests or in the others as well? (for compatibility with older browsers or something)

These requests need to be authenticated?

I found that question where it says only a phrase not very specific to what should be returned

1 answer

7

OPTIONS

The Method OPTIONS is a method HTTP, which is used to find out which request options are allowed for certain server resources, so this request is made before the others, to find out which permissions you accept.

In this request, the server returns a list of headers, containing some data, but can also return an error if it has no request for the resources.

This can be done in two ways, the first is by specifying a URL in the request for a specific analysis:

OPTIONS /index.html HTTP/1.1

The other way is to asterisk (*), which refers to resources as a whole:

OPTIONS * HTTP/1.1

This request is initially made to find out the permissions offered for the resources, so you can use the other requests without returning an error.

For a simple request, you can use the CURL, to send this confirmation request, for example:

curl -X OPTIONS http://index.html -i

In this request, by default, if there are fields allowed, the server will return a header of the type Allow, which indicates which methods you accept and have request permission, but return the data only as information:

HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00 GMT
Expires: Thu, 20 Oct 2016 11:45:00 GMT
Server: EOS (lax004/2813)
x-ec-custom-error: 1
Content-Length: 0

If no requests are allowed, the server will return an empty header, which may occur temporarily for some resource.

The information of OPTIONS, are made only in this request, to indicate which methods you accept to do. It is not used for sending confirmation.

CORS

It is a specification used to set resource exchanges between browser and server, securely, not allowing scripts to cross-source requests.

A requisition, made with CORS, is used to know if the server allows a specific request type, informing the parameters to be analyzed, ie a "custom" permission check for the server.

Here, has a list of headers CORS that can be used in a request.

An example, a request is created to know if a specific request you use POST and has custom headers is accepted. Headers are used Access-Control-Request-Method, to the POST and the Access-Control-Request-Headers, for the custom headers:

OPTIONS /resources/post-here/ HTTP/1.1 
Host: bar.other 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Connection: keep-alive 
Origin: http://foo.example 
Access-Control-Request-Method: POST 
Access-Control-Request-Headers: X-PINGOTHER, Content-Type

From this "custom" request, the server analyzes and, if allowed, returns with the headers, informing if the headers of the specific fields informed may be requested. That answer is similar to an answer Allow.

HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 01:15:39 GMT 
Server: Apache/2.0.61 (Unix) 
Access-Control-Allow-Origin: http://foo.example 
Access-Control-Allow-Methods: POST, GET, OPTIONS 
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type 
Access-Control-Max-Age: 86400 
Vary: Accept-Encoding, Origin 
Content-Encoding: gzip 
Content-Length: 0 
Keep-Alive: timeout=2, max=100 
Connection: Keep-Alive 
Content-Type: text/plain

The mechanism CORS, supports secure cross-source requests, which are requests with origin (domain, protocol, and port) different from their own origin. With this, the request passes through the authentication made by the server and returns the result, to request a cross request.

In a request with CORS, the browser makes a request, where specific headers are passed, for example a header Access-Control-Request-Method, that will require methods that are allowed and the server will respond with Access-Control-Allow-Methods, that is, the browser requests a confirmation, the server responds with a header, stating what is allowed and with the return, the browser checks the returned data, if compatible, the browser will release the cross request, between different domains.

Compatibility

All browsers have basic support for this type of request, both mobile and desktop browsers:

inserir a descrição da imagem aqui

Read More

  • It seems to me that your answer explains what the OPTIONS but does not explain exactly what should be returned in this type of request, by his reply, I understood that in this type of request only need to return the header Allow, nothing else, is that correct?. In practice what is the difference between Allow and Access-Control-Allow-Methods?

  • That question "This information should be sent only in these requests or in the other?" refers to requests of the type OPTIONS and not to CORS

  • @Guilhermecostamilam made some changes to the text

  • In the links you passed is written "Responses to the OPTIONS method are not cacheable", if the answer cannot be cached because, in your example, you have cached?

  • @Guilhermecostamilam really, it is not "cacheable". Only that this type of request, brings what is released and what can be used. The example, came from the MDN site itself. It is so much that if you use the cmd curl -X OPTIONS https://developer.mozilla.org -i, pointing to their website, will also return a header with similar information.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.